There is a tool to check a website for vulnerabilities. Check the most relevant sites you use, where your password being broken would be critical, like online banking and similar. I did check Paypal and it is safe .

My bank uses a card reader to generate a number which I use to login with. This changes each time I use it, so I assume that this precludes any problems with the bug as no password is used.

I also use Thunderbird to login to Yahoo, is that compromised as well?

Rui, it may be that a site is safe now, but was it safe (as Browni says, it's been around for two years). What we need is some openness from all sites about whether they have been affected and if they've updated their software. Only then can we be sure whether or not our passwords have been compromised. I'm not holding my breath.

I would still change passwords on sites where I would not like my passwords to be known and monitor any movements, purchases, etc, for the near future. One of the risks here is that the private keys were compromised, requiring the issuing of new certificates to avoid any future problems. This basically means you need to be very careful about what happens in relevant sites you use where the vulnerability was present. Of course, if you don't know, just keep tabs on movements and purchases in the key sites you use.

As this vulnerability has been around for 2 years I am starting to get nervous...

I think there is no big reason for that. Has anything happened with your accounts? Strange movements, unexplained events? If not, there is no reason to become overly nervous, though you should monitor what goes on in your most important sites.

The vulnerability does not automatically lead to your passwords being discovered, just the possibility, and that is still difficult to do because an attacker would either need to intercept your data, or capture the information from the web site computer at the very moment you logon. The biggest issue is that SSL certificates on affected sites are no longer private because the keys can be stolen, but that still requires a very sophisticated attack to gain your passwords.